Bug 1088904
Summary: | Selinux AVC raises when cmpi-fsvol is used | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Robin Hack <rhack> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Karel Srot <ksrot> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 7.0 | CC: | amahdal, ksrot, lvrabec, mgrepl, mmalik, rhack, ssekidde | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.13.1-34.el7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-11-19 10:22:16 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1231640 | ||||||
Attachments: |
|
Description
Robin Hack
2014-04-17 12:05:57 UTC
It looks there is a missing label for a provider. Which provider did you use? I can reproduce the same AVC too, but there are no additional providers: # ls -Z /usr/libexec/pegasus/ -rwxr-xr-x. root pegasus system_u:object_r:bin_t:s0 cimprovagt # (In reply to Milos Malik from comment #3) > I can reproduce the same AVC too, but there are no additional providers: > > # ls -Z /usr/libexec/pegasus/ > -rwxr-xr-x. root pegasus system_u:object_r:bin_t:s0 cimprovagt > # This looks like different bug. Good catch. (In reply to Miroslav Grepl from comment #2) > It looks there is a missing label for a provider. Which provider did you use? I use sblim-cmpi-fsvol under tog-pegasus. cimprovagt is just SO library loader. sblim-cmpi-fsvol adds so libraries to different path: /usr/lib64/cmpi/libcmpiOSBase_BlockStorageStatisticalDataProvider.so /usr/lib64/cmpi/libcmpiOSBase_BootOSFromFSProvider.so /usr/lib64/cmpi/libcmpiOSBase_HostedFileSystemProvider.so /usr/lib64/cmpi/libcmpiOSBase_LocalFileSystemProvider.so /usr/lib64/cmpi/libcmpiOSBase_NFSProvider.so /usr/lib64/libcmpiOSBase_CommonFsvol.so.0 /usr/lib64/libcmpiOSBase_CommonFsvol.so.0.0.0 Additional info: If you want to now which providers are installed just use: # cimprovider -l OperatingSystemModule ComputerSystemModule ProcessModule SLPProviderModule cmpiOSBase_BaseBoardProvider cmpiOSBase_ComputerSystemProvider cmpiOSBase_CSBaseBoardProvider cmpiOSBase_CSProcessorProvider cmpiOSBase_OperatingSystemProvider cmpiOSBase_OperatingSystemStatisticalDataProvider cmpiOSBase_OperatingSystemStatisticsProvider cmpiOSBase_OSProcessProvider cmpiOSBase_ProcessorProvider cmpiOSBase_RunningOSProvider cmpiOSBase_UnixProcessProvider cmpiOSBase_BlockStorageStatisticalDataProvider cmpiOSBase_BootOSFromFSProvider cmpiOSBase_HostedFileSystemProvider cmpiOSBase_LocalFileSystemProvider cmpiOSBase_NFSProvider This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. And how about permissive mode? Created attachment 963754 [details]
AVCs caused by various providers
A dontaudit candidate? ---- type=PATH msg=audit(12/10/2014 10:17:10.213:570) : item=0 name=/root/.local/lib/python2.7/site-packages objtype=UNKNOWN type=CWD msg=audit(12/10/2014 10:17:10.213:570) : cwd=/var/lib/Pegasus/cache/trace type=SYSCALL msg=audit(12/10/2014 10:17:10.213:570) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7fe334029fb0 a1=0x7fe33d7de840 a2=0x7fe33d7de840 a3=0x6b6361702d657469 items=1 ppid=1 pid=3801 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_storage_t:s0 key=(null) type=AVC msg=audit(12/10/2014 10:17:10.213:570) : avc: denied { search } for pid=3801 comm=cimprovagt name=.local dev="vda3" ino=118746 scontext=system_u:system_r:pegasus_openlmi_storage_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir ---- Appears in enforcing mode only: ---- type=PATH msg=audit(12/10/2014 12:20:14.793:2089) : item=0 name=/sys inode=1 dev=00:10 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 objtype=NORMAL type=CWD msg=audit(12/10/2014 12:20:14.793:2089) : cwd=/var/lib/Pegasus/cache/trace type=SYSCALL msg=audit(12/10/2014 12:20:14.793:2089) : arch=x86_64 syscall=statfs success=no exit=-13(Permission denied) a0=0x7f27ce2ee2a0 a1=0x7f27d4264400 a2=0x7f27ce6fc2a0 a3=0x7f27d13082a0 items=1 ppid=1 pid=12647 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_system_t:s0 key=(null) type=AVC msg=audit(12/10/2014 12:20:14.793:2089) : avc: denied { getattr } for pid=12647 comm=cimprovagt name=/ dev="sysfs" ino=1 scontext=system_u:system_r:pegasus_openlmi_system_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem ---- I'm fine with patch from Simon, just one thing, could I see avc related to this rule? allow pegasus_openlmi_storage_t etc_t:file create; Thank you (In reply to Lukas Vrabec from comment #17) > I'm fine with patch from Simon, just one thing, could I see avc related to > this rule? > allow pegasus_openlmi_storage_t etc_t:file create; ---- type=PATH msg=audit(12/02/2014 14:13:11.793:795) : item=1 name=/etc/mdadm.conf.anacbak objtype=CREATE type=PATH msg=audit(12/02/2014 14:13:11.793:795) : item=0 name=/etc/ inode=8388737 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT type=CWD msg=audit(12/02/2014 14:13:11.793:795) : cwd=/var/lib/Pegasus/cache/trace type=SYSCALL msg=audit(12/02/2014 14:13:11.793:795) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f9c8ca43490 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0666 a3=0x1 items=2 ppid=1 pid=7199 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_storage_t:s0 key=(null) type=AVC msg=audit(12/02/2014 14:13:11.793:795) : avc: denied { create } for pid=7199 comm=cimprovagt name=mdadm.conf.anacbak scontext=system_u:system_r:pegasus_openlmi_storage_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file So we can add a filename transition rule. commit 7d530cb33f805c41eca18917cd57daa0ad01f625 Author: Lukas Vrabec <lvrabec> Date: Thu Jul 16 14:36:29 2015 +0200 Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc. commit d8cf9fbaa143635a73452e7109029cc6a2966a71 Author: Simon Sekidde <ssekidde> Date: Sun Jun 21 14:02:01 2015 -0400 Add fixes to pegasus_openlmi_domain Resolves:#1088904 Sorry, neither I have no idea how to reproduce this. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |